Description of problem: Installing opencryptoki into container image fails because the rpm contains /var/lock/opencryptoki but Fedora base image does not contain /run/lock. Version-Release number of selected component (if applicable): opencryptoki-3.4.1-1.fc23.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. docker run --rm -ti fedora:23 dnf install -y opencryptoki Actual results: $ docker run --rm -ti fedora:23 dnf install -y opencryptoki Fedora 23 - x86_64 - Updates 51 MB/s | 22 MB 00:00 Fedora 23 - x86_64 58 MB/s | 43 MB 00:00 Last metadata expiration check performed 0:00:26 ago on Tue May 31 08:32:12 2016. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: opencryptoki x86_64 3.4.1-1.fc23 updates 101 k opencryptoki-icsftok x86_64 3.4.1-1.fc23 updates 228 k opencryptoki-libs x86_64 3.4.1-1.fc23 updates 45 k Transaction Summary ================================================================================ Install 3 Packages Total download size: 373 k Installed size: 1.0 M Downloading Packages: (1/3): opencryptoki-3.4.1-1.fc23.x86_64.rpm 693 kB/s | 101 kB 00:00 (2/3): opencryptoki-libs-3.4.1-1.fc23.x86_64.rp 202 kB/s | 45 kB 00:00 (3/3): opencryptoki-icsftok-3.4.1-1.fc23.x86_64 1.0 MB/s | 228 kB 00:00 -------------------------------------------------------------------------------- Total 276 kB/s | 373 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Installing : opencryptoki-libs-3.4.1-1.fc23.x86_64 1/3 Installing : opencryptoki-icsftok-3.4.1-1.fc23.x86_64 2/3 Installing : opencryptoki-3.4.1-1.fc23.x86_64 3/3 Error unpacking rpm package opencryptoki-3.4.1-1.fc23.x86_64 Error unpacking rpm package opencryptoki-3.4.1-1.fc23.x86_64 error: unpacking of archive failed on file /var/lock/opencryptoki: cpio: mkdir opencryptoki-3.4.1-1.fc23.x86_64 was supposed to be installed but is not! Verifying : opencryptoki-3.4.1-1.fc23.x86_64 1/3 Verifying : opencryptoki-libs-3.4.1-1.fc23.x86_64 2/3 Verifying : opencryptoki-icsftok-3.4.1-1.fc23.x86_64 3/3 Installed: opencryptoki-icsftok.x86_64 3.4.1-1.fc23 opencryptoki-libs.x86_64 3.4.1-1.fc23 Failed: opencryptoki.x86_64 3.4.1-1.fc23 Complete! Expected results: No error. Additional info: The /var/lock is symlink to /run/lock: $ docker run --rm -ti fedora:23 ls -la /var/run /run/lock ls: cannot access /run/lock: No such file or directory lrwxrwxrwx. 1 root root 6 Mar 4 05:17 /var/run -> ../run The /run gets mounted as tmpfs so opencryptoki should be putting in anything there anyway. If it needs the directory in runtime, it likely should use tmpfiles. There is the same problem with centos:centos7 and opencryptoki-3.2-5.el7_2.x86_64. On RHEL, the /run has /run/lock in the image but I believe the fix should go to RHEL as well.
We are using tmpfiles already, but for some reason only for the subdirectories of /run/lock/opencryptoki (also the subdirs are part of the RPM, which should not be). Fix will look somehow like below, but give me some time to test before issuing updates: diff --git a/opencryptoki.spec b/opencryptoki.spec index 77e70e6..d7048ab 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -195,6 +195,7 @@ token_subdirs="$token_subdirs lite ccatok ep11tok" %endif cp -p %{SOURCE1} %{name}-tmpfiles.conf +echo "D /var/lock/opencryptoki/ 0770 root pkcs11 -" >> %{name}-tmpfiles.conf for d in $token_subdirs do echo "D /var/lock/opencryptoki/$d 0770 root pkcs11 -" >> %{name}-tmpfiles.conf @@ -277,8 +278,6 @@ exit 0 %{_libdir}/opencryptoki/methods %{_libdir}/pkcs11/methods %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name} -%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name} -%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}/* %files libs %license LICENSE
I think there were some issues with the tmpfiles based /var/lock but can't recall the details now. Something with installing into a chroot and a workaround in mock ...
I assume you have bug 1084052 in mind.
I have now filed https://fedorahosted.org/spin-kickstarts/ticket/62 and asked at the devel@ list: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/U2R34HF2IYWX7CVNONIW7HIKIQTYPBKN/
The first insight was too early before lunch so ignore the patch in the comment #2. We already have /var/lock/opencryptoki/ in tmpfiles and creating of the directories is advised. Problem is missing /var/lock (and /run/lock, which would be an alternative).
We didn't get any update on ML so few more notes from my investigation and filling gaps of my prior knowledge (maybe worth pasting also to the fedora-devel too?): Fedora corresponds to Standard FSH [1]. It does not specify how should /run look like. The content that is opencryptoki trying to store fits well into /var/lock. On the other hand, the exceptions in packaging guidelines speaks about /run, which also looks like a place to fit these files these days. "Systemd"/freedesktop file-hierarchy does not specify the */lock directories in any special way [2], instead it recommends path /run/package for this usage, which is probably way to go. So I guess valid solution would be to move from /run/lock/opencryptoki to /run/opencryptoki (but not in RHEL7). Opencryptoki configure does not accept modification of this directory, so it needs to be patched (I will propose some configure option upstream, if this is the way we want to go). I built scratch build [3] for rawhide before pushing this to the wild, so you can check if it does what it is supposed to do. [1] https://fedoraproject.org/wiki/Packaging:Guidelines#Filesystem_Layout [2] https://www.freedesktop.org/software/systemd/man/file-hierarchy.html [3] http://koji.fedoraproject.org/koji/taskinfo?taskID=14353034
I'm seeing the same problem with package "iptraf-ng" on CentOS 7.2, when running in Docker container: Installing : iptraf-ng-1.1.4-4.el7.x86_64 51/59 Error unpacking rpm package iptraf-ng-1.1.4-4.el7.x86_64 error: unpacking of archive failed on file /var/lock/iptraf-ng: cpio: mkdir
Centos:7 docker base image bug/issue: "/var/lock is a symlink to a non-existant directory": https://github.com/CentOS/sig-cloud-instance-images/issues/46
It looks like bug 1343138 brought /var/lock to current fedora:24 image (11a5107645d4).
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Due to bug 1343138 comment 11, things work on fedora:24 but fail again on fedora:25 and fedora:rawhide.
Note, same issue affects installing to a mock chroot: <mock-chroot> sh-4.4# dnf install opencryptoki Last metadata expiration check: 0:00:00 ago on Fri May 26 14:31:36 2017 PDT. Dependencies resolved. ============================================================================================================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================================================================================================== Installing dependencies: opencryptoki x86_64 3.7.0-1.fc27 fedora 101 k Transaction Summary ============================================================================================================================================================================================================================================== Install 1 Package Total size: 101 k Installed size: 264 k Downloading Packages: [SKIPPED] opencryptoki-3.7.0-1.fc27.x86_64.rpm: Already downloaded Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : opencryptoki-3.7.0-1.fc27.x86_64 1/1 Error unpacking rpm package opencryptoki-3.7.0-1.fc27.x86_64 Error unpacking rpm package opencryptoki-3.7.0-1.fc27.x86_64 error: unpacking of archive failed on file /var/lock/opencryptoki: cpio: mkdir opencryptoki-3.7.0-1.fc27.x86_64 was supposed to be installed but is not! Verifying : opencryptoki-3.7.0-1.fc27.x86_64 1/1 Failed: opencryptoki.x86_64 3.7.0-1.fc27 Error: Transaction failed
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
While things still fail on fedora:25, they work on fedora:26 and higher: # docker run --rm -ti fedora:25 dnf install -y opencryptoki [...] Installing : opencryptoki-3.6.2-1.fc25.x86_64 3/3 Error unpacking rpm package opencryptoki-3.6.2-1.fc25.x86_64 Error unpacking rpm package opencryptoki-3.6.2-1.fc25.x86_64 error: unpacking of archive failed on file /var/lock/opencryptoki: cpio: mkdir opencryptoki-3.6.2-1.fc25.x86_64 was supposed to be installed but is not! Verifying : opencryptoki-3.6.2-1.fc25.x86_64 1/3 # docker run --rm -ti fedora:26 dnf install -y opencryptoki [...] Running scriptlet: opencryptoki-icsftok-3.6.2-1.fc26.x86_64 2/3 Installing : opencryptoki-3.6.2-1.fc26.x86_64 3/3 Running scriptlet: opencryptoki-3.6.2-1.fc26.x86_64 3/3 Failed to connect to bus: No such file or directory Verifying : opencryptoki-3.6.2-1.fc26.x86_64 1/3 primarily because of the /run/lock fix per bug 1343138 comment 16. What is the best resolution of this bugzilla (so that it does not fall into EOL)?
I am no longer opencryptoki main contact, but I noticed that Dan Horak was building latest packages in Fedora 28, which brought some improvement for this issue directly from IBM upstream. It is now shipping the new tmpfiles with the following content so it should work regardless the referenced fix (I did not test that): # path mode uid gid age D /var/lock/opencryptoki 0770 root pkcs11 - D /var/lock/opencryptoki/swtok 0770 root pkcs11 - D /var/lock/opencryptoki/tpm 0770 root pkcs11 - D /var/lock/opencryptoki/icsf 0770 root pkcs11 - So I believe CLOSED CURRENTRELEASE/NEXTRELEASE is appropriate, if you agree.
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.